The implementation of this rule highly rely on symbol names matching wordlist items to raise issues. The downside of this is that it raises many FPs when constants are used to avoid duplicated stings:
let password = "Password" // Compliant let password = "custom.password" // Compliant password = "/users/resetUserPassword" // Compliant foo(password:"password") // Compliant var obj = MyClass() obj.fieldNameWithPasswordInIt = "password" // Compliant
In most string constants use cases the wordlist item is present in both the symbol name and the string value.
The new approach is to avoid raising issues when the matched wordlist item is present in both symbol name and literal string value.
Exception made for the following use cases with query parameters that are still True Positives:
let params = "user=admin&password=Password123" // Sensitive let connection = "pgsql:host=localhost port=5432 dbname=test user=postgres password=postgres" // Sensitive
See false-positives on Peach https://peach.sonarsource.com/issues?tags=sonarswift-454
- contributes to
-
MMF-2134 Enhanced hard-coded credentials detection (S2068) for Swift
-
- Resolved
-
- implements
-
RSPEC-2068 Hard-coded credentials are security-sensitive
- Active
